CVE-2008-5659

GNU Classpath <0.97.2 - Info Disclosure

Title source: llm

Description

The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Jack Lloyd · c++remotemultiple

https://www.exploit-db.com/exploits/32674

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Jack Lloyd · javaremotemultiple

https://www.exploit-db.com/exploits/32673

View Code ZIP pw:eip

References (3)

[Various Sources] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/47574

[Mailing List] http://www.openwall.com/lists/oss-security/2008/12/06/2

Scores

EPSS 0.0316

EPSS Percentile 87.0%

Details

CWE

CWE-310

Status published

Products (25)

gnu/classpath 0.6

gnu/classpath 0.7

gnu/classpath 0.8

gnu/classpath 0.9

gnu/classpath 0.10

gnu/classpath 0.11

gnu/classpath 0.12

gnu/classpath 0.13

gnu/classpath 0.14

gnu/classpath 0.15

... and 15 more

Published Dec 17, 2008

Tracked Since Feb 18, 2026